OS X 上 Java Web Start 应用程序的身份不明的开发人员
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19767394/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Unidentified developer for Java Web Start application on OS X
提问by Emmanuel Bourg
On Mac OS X 10.9 signed Java Web Start applications are blocked by default with the message:
在 Mac OS X 10.9 上,签名的 Java Web Start 应用程序默认被阻止并显示以下消息:
"application.jnlp" can't be opened because it is from an unidentified developer.
I know it's possible to weaken the security checks to allow any application to run, but that requires a manual intervention of the end user.
我知道可以削弱安全检查以允许任何应用程序运行,但这需要最终用户的手动干预。
Is it possible to "sign" a Java Web Start application such that it is recognized as originating from an identified developer?
是否可以对 Java Web Start 应用程序进行“签名”,使其被识别为来自已识别的开发人员?
Thank you
谢谢
采纳答案by amos
Apple does appear to support signing of webstart -- but not directly. You have to bundle it in an archive. See the note at the bottom of thispage:
Apple 似乎确实支持 webstart 的签名——但不是直接的。您必须将其捆绑在存档中。见注在底部此页面:
You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.
您可以使用 codesign 实用程序对 JNLP 文件进行签名,这会将代码签名作为扩展属性附加到 JNLP 文件。要保留这些属性,请将 JNLP 文件打包为 ZIP、XIP 或 DMG 文件。使用 ZIP 格式时要小心,因为某些第三方工具可能无法正确捕获所需的扩展属性。
Also note that XIP isn't supported for non-Apple developers anymore:
另请注意,非 Apple 开发人员不再支持 XIP :
Important: Starting with macOS Sierra, only XIP archives signed by Apple will be expanded. Developers who have been using XIP archives will need to move to using signed installer packages or disk images.
重要提示:从 macOS Sierra 开始,只会扩展由 Apple 签名的 XIP 档案。一直在使用 XIP 存档的开发人员将需要转向使用签名的安装程序包或磁盘映像。
回答by Stan W
Here is a related post. It doesn't appear to be possible to bypass the security, Allow All, workaround.
这是一个相关的帖子。似乎不可能绕过安全性“全部允许”解决方法。
OS X 10.8 Gatekeeper and Java applets
OS X 10.8 Gatekeeper 和 Java 小程序
From Apple Tech Support in the post above.
来自上面帖子中的 Apple 技术支持。
Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.
未识别的开发者”是指 Mac App Store 或 Developer ID 识别的开发者以外的来源。请注意,Java 小程序不能参与 Developer ID 计划。
I am considering building a native app and use a custom web protocol instead similar to skype where you see skype:// in the URI. It doesn't seem like Apple will change their stance on java applets in the near future. It will most likely become more restricted and eventually just disabled like flash on iOS.
我正在考虑构建一个本机应用程序并使用自定义 Web 协议,而不是类似于在 URI 中看到 skype:// 的 Skype。在不久的将来,Apple 似乎不会改变他们对 Java 小程序的立场。它很可能会受到更多限制,最终就像 iOS 上的 flash 一样被禁用。
回答by Derek Slife
In the latest OSX releases, Apple has changed it's security model to only support applications from the Mac App Store and identified developers. In most cases, this prohibits jnlp/java-web-start applications from launching.
在最新的 OSX 版本中,Apple 已将其安全模型更改为仅支持来自 Mac App Store 和已确定的开发人员的应用程序。在大多数情况下,这会禁止 jnlp/java-web-start 应用程序启动。
If this is a trusted application, you may override these settings by updating your system settings as follows:
如果这是受信任的应用程序,您可以通过更新系统设置来覆盖这些设置,如下所示:
System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere)
系统偏好设置 -> 安全与隐私 ->(解锁窗口)-> 允许从以下位置下载应用程序:(选择任何地方)
In some cases you may need to update your Java Security preferences too
在某些情况下,您可能还需要更新您的 Java 安全首选项
System Preferences -> Java -> Security -> (Select Medium)
系统偏好设置 -> Java -> 安全性 ->(选择中)
Be careful when adjusting these. These settings will open you up to popular attack vectors where an attacker can exploit vulnerabilities within the java runtime (Java 0 days).
调整这些时要小心。这些设置将使您容易受到流行的攻击媒介的攻击,攻击者可以在这些媒介中利用 Java 运行时(Java 0 天)中的漏洞。
回答by CpnCrunch
This seems to have changed in OS X 10.10. Now after going to System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere)(after trying to run the .jnlp file) you'll see an option to "Run anyway".
这似乎在 OS X 10.10 中发生了变化。现在,在转到系统偏好设置 -> 安全和隐私 ->(解锁窗口)-> 允许从以下位置下载的应用程序:(选择任何地方)(尝试运行 .jnlp 文件后),您将看到一个“仍然运行”的选项。
回答by jla
The answers to How to sign (dynamic) JNLP files for OSX and Gatekeeperaddress this question, just ignore the 'dynamic' aspect.
如何为 OSX 和 Gatekeeper 签署(动态)JNLP 文件的答案解决了这个问题,只需忽略“动态”方面。
You can codesign -f -s "Developer ID Application: " application.jnlpbut the HFS resource won't transfer with the file over the web.
您可以,codesign -f -s "Developer ID Application: " application.jnlp但 HFS 资源不会通过网络与文件一起传输。
Until Oracle works out a solution, if they ever do, addressing JNLP/Web Start it looks like we have to figure out a work-around that starts us down the path to creating a Mac app bundle.
在 Oracle 制定出解决方案之前,如果他们真的解决了 JNLP/Web Start,那么看起来我们必须找出一种解决方法,让我们走上创建 Mac 应用程序包的道路。
